FRAMINGHAM (04/03/2000) - Week 4: Pat lines up political support for a shift to modem pooling and proposes strict password processHave you ever noticed that people are gung-ho about your new job and give you tons of "attaboys," until you begin to make policy? Then their attitudes change, and they seem to think, "He was so cool when he was just a network admin." I think the honeymoon is over.
We have more than 120 modems on our campus, and I have set a deadline of May 1 to replace all of them with Shiva dial-out modem pools from Intel Network Systems Inc. in Bedford, Massachusetts, formerly Shiva Corp. This will reduce our exposure to war dialers and the biggest back door to our network, since all outgoing modem connections will pass through a single access point, which we can more easily secure.
Don't Take My Modem
To begin, I drafted an e-mail to the information technology department, which includes a staff of 70 full-time programmers, notifying them that they would be the first to receive the modem-pooling software. I chose the Shiva Dial-Out Chooser, which uses the dialout features of our LanRover D56 dial-up access switch.
Well, almost immediately, e-mails started to flood in from the programmers, who said they wanted to run tests to make sure all of their applications would work on the new modem pools. One of their favorite applications is Symantec Corp.'s pcAnywhere, which is a notorious back door because it's designed to make it easier for outsiders to dial in to systems and control them remotely - which, of course, makes it easier for hackers to do the same thing.
I sent the programmers a note explaining that because the help desk was doing the conversion for us and they don't want to make two trips to each workstation, the programmers' modems would be removed and the analog lines disconnected at the same time that the new modem pool software was installed.
The e-mails continued to fly. My boss advised me to just ignore them. I must say that he's behind me 100 percent, and that helps in creating a standard that wasn't there before.
Punting on Passwords
Moving on to another security fiasco, it appears that our corporate password policy is to force passwords to be at least eight characters long and changed every 90 days. But it also appears that the higher you are in the company and the more access you have to critical data, the less restrictive the password policy is. For the big bosses, there is no expiration period and only a four-character length requirement. I believe this began when a bigwig in our company managed to get a shorter password that never expires.
I decided to call a meeting with my boss, since he's been with the company two years longer than I, to discuss the challenges of changing the password policy.
He reminded me that if I change the expiration period to 45 days from 90, the help desk is going to get hammered. More than 500 passwords would expire immediately. We also discussed the fact that enforcing a policy in which passwords consist of mixed alphanumeric symbols - not just numbers in front of or behind whole words - is going to be extremely hard. I've tabled the issue, for now.
First, Ask the Lawyers
Next stop was our legal department, to see what I can do to begin implementing corporate policies regarding our network.
The first subject was a release document for our network topography playbook, a binder that will have our entire network diagrammed both physically and logically. It will even include emergency contact numbers so we can be reached in the middle of the night to cut the response time to any event. The challenge is that this is information we want to protect. The legal department and I drafted a document specifying how people must protect this data that I will post later this month when it's approved. The book will be distributed to only 11 people. We want those people to take the security of this information seriously.
The next topic was how to develop a complete set of security policies. I found a great set of sample policies at the Web site for the SANS Institute. It covers almost every policy aspect that we need in our company. The legal department loved it because it gives our company a head start in what needs to be covered.
Demos of the Week
The last meeting of the week was with Network Associates Inc. (NAI) to see a demonstration of CyberCop, a full intrusion-detection system. Just to refresh your memory, I was trying to install Internet Security System Inc.'s (ISS) RealSecure and Network Ice Corp.'s IcePac suite in our lab to test an intrusion-detection system for our internal network.
I found The Network Ice product difficult to install and to use, with a cumbersome Web interface console. I really like it as an intrusion-detection system for the home user, but not for an enterprise. RealSecure is also difficult to install. I invested two days in the lab and still haven't figured it out. And I can't make the time to read the five 100-page manuals.
I was impressed by NAI's CyberCop product demo. It appeared to be very easy to use and configure out of the box because it takes advantage of the Microsoft Management Console (MMC). I will wait and see whether that remains true when I get the product to test on my network.
Then there's the cost. NAI produces great stuff, and the pricing is in line with that of other vendors - maybe even a little less. The quote we got for 50 units was around $10,000, including two years of support.
Next week, I will be in the ISS-sponsored Check Point Software Technologies Ltd. Firewall-1 class for four days. I'm looking forward to it because I need to learn about the virtual private network (VPN) and secure remote/client piece of the software. I have 35 Microsoft Exchange sites I need to connect to our corporate headquarters, and static IP addresses are becoming extremely hard to get outside of the U.S. We're hoping that establishing a VPN will ease that challenge for us.